MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c
SHA3-384 hash:	9db351ec7f53df166e450f3919138b4fda2ef91bf92d1363e90ab1956828e90acc4327c55ac46f634724861ee0c296f0
SHA1 hash:	a28790eac00394bbcb09d3c4b6ecf2d92757801d
MD5 hash:	481dd8a31454f9c44a0627eb6269309c
humanhash:	helium-moon-carpet-beer
File name:	main.exe
Download:	download sample
File size:	7'354'618 bytes
First seen:	2023-05-28 00:33:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep	196608:jnxnNpICteEroXxDVfEqlbkkwR7VTEmLEN+x0SumEDlsyP:/pInEroXzfEqirRRomLo+uSumEDy
Threatray	265 similar samples on MalwareBazaar
TLSH	T1F976330467940CE9F5A3003AE5A48915E0B6BC334750E9CB9B7892274FA7EE57DB7F80
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	Anonymous
Tags:	exe

Anonymous

Retrieved from https://anonfiles.com/qdMbT8t2zb/main_exe

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

main.exe

Verdict:

Malicious activity

Analysis date:

2023-05-28 00:36:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/573399bf-836f-4a16-a4d5-8321ca42f915

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/392690/

Detection(s):

SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Launching a process

Creating a window

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88276/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6472a17aa4e82deee725b7cc/reports/1a528a6b-e281-4270-bc43-ba32b4e5bb53/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7b6860e3-4328-4a61-bfd0-ee655e56b418

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1243924

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c/

Threat name:

Win64.Malware.Generic

Status:

Suspicious

First seen:

2023-05-28 00:34:06 UTC

File Type:

PE+ (Exe)

Extracted files:

497

AV detection:

4 of 37 (10.81%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zutn5c7okxdj6ww65277vg2pncaa73zbgdntlplmfdjiy4gy7voa._file

Verdict:

unknown

64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499

6cda633387fccd75a142a0103c720e661466059974663dfca7f702fd35640415

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8

75016e4ed0580c4b3baa3acdb2c9102eb073749ef91332d91ed982b6551ba870

7ccb7f63df4247bbe86f4c6dcea7ed51a17e0d5eea9843c29d2ef05d8208067e

94d64d00b0aa175cc28ecac33d829a33411cd0cb549018852c0ae82d592f5ec6

9d85f7e7bbce1fc023353548d2bd1a54223370ccc64f073bcd473545aa36f6bc

d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4

+ 255 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/230528-awrrfsdf29/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Gathering data

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cd26de8bee55c69f5adeeebffa9b4f68800fef2130db35bd6c28d28c70d8fd5c

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/392690/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample